Proposal Would Gut Privacy Laws, Allow Unprecedented Data-Grab by Government

We’re for better network, computer, and device security. Unfortunately, "cybersecurity" bills often go off track—case in point: the " Internet kill switch. " The latest example comes courtesy of the leaders of the House Intelligence Committee. Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) are introducing "The Cyber Intelligence Sharing and Protection Act of 2011"(PDF).

The bill would allow a broad swath of ISPs and other private entities to "use cybersecurity systems" to collect and share masses of user data with the government, other businesses, or "any other entity" so long as it’s for a vaguely-defined "cybersecurity purpose." It would trump existing privacy statutes that strictly limit the interception and disclosure of your private communications data, as well as any other state or federal law that might get in the way. Indeed, the language may be broad enough to bless the covert use of spyware if done in "good faith" for a "cybersecurity purpose."

This broad data-sharing between companies wouldn’t be subject to any oversight or transparency measures (users can’t restrict companies’ sharing), while the only oversight for sharing with the federal government, ironically, would be through the Privacy and Civil Liberties Oversight Board—which hasn’t existed since January 2008.

Worse yet, the bill doesn’t limit what the federal government can do with the data or private communications that ISPs and others hand over, except to say that it can’t be used for "regulatory" purposes—apparently it can be used for law enforcement and intelligence targeting purposes.

Based on how this proposal diverges from the White House’s own cybersecurity proposal from May 12, we hope and expect that the Administration isn’t happy with this House Intelligence bill for several reasons—insufficient privacy protections, lack of oversight, skepticism about efficacy. Perhaps at the top of the list is concern over the fact that the bill allows information sharing with any federal agency—including the National Security Agency (NSA)—thereby threatening civilian control of domestic cybersecurity efforts. As Rod Beckstrom, former Director of DHS’s National Cybersecurity Center, said when he resigned in March 2009:

"NSA currently dominates most national cyber efforts…. I believe this is a bad strategy…. The intelligence culture is very different from a network operations or a security culture [and] the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization (either directly or indirectly).

Lawmakers should not rush to approve such a broad expansion of government power to obtain private information about its citizens without so much as a hearing on the bill. EFF flatly opposes this bill, and urges House Intelligence Committee members to oppose the bill and support any amendments to make it more privacy-protective if and when the Committee considers the proposal tomorrow. Eviscerating our online privacy protections won’t strengthen our cybersecurity, it will only undermine it.

Related Updates

Lt. Gen. Paul Nakasone, the new nominee to direct the NSA, faced questions Thursday from the Senate Select Committee on Intelligence about how he would lead the spy agency. One committee member, Senator Ron Wyden (D-OR), asked the nominee if he and his agency could avoid the mistakes of...

There’s a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is...

EFF and 23 other civil liberties organizations sent a letter to Congress urging Members and Senators to oppose the CLOUD Act and any efforts to attach it to other legislation. The CLOUD Act (S. 2383 and H.R. 4943) is a dangerous bill that would tear away global privacy...

The Supreme Court of India has commenced final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August’s ruling in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge bench is now weighing in on...

We need to talk about national security secrecy. Right now, there are two memos on everyone’s mind, each with its own version of reality. But the memos are just one piece. How the memos came to be—and why they continue to roil the waters in Congress—is more important. On January...

Today Google launched a new version of its Chrome browser with what they call an "ad filter"—which means that it sometimes blocks ads but is not an "ad blocker." EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of...

The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Privacy Office, and Office of Field Operations recently invited privacy stakeholders—including EFF and the ACLU of Northern California—to participate in a briefing and update on how the CBP is implementing its Biometric Entry/Exit Program.
As we’ve written ...